If you run a therapy practice, you probably spend a lot of time thinking about client care, scheduling, notes, billing, and documentation. HIPAA paperwork is rarely the exciting part.
But one document matters more than many practice owners realize: the Business Associate Agreement, often shortened to BAA.
A BAA is one of the key contracts that helps keep client health information protected when your practice uses outside vendors.
What Is a BAA?
A Business Associate Agreement is a written contract between a HIPAA-covered provider and a vendor that may create, receive, maintain, or transmit protected health information, or PHI, on the provider's behalf.
In plain English: if a vendor helps your practice run and that vendor touches client health information, you probably need a BAA with them.
HHS explains that covered entities must have written agreements with business associates that define how PHI may be used, require safeguards, require breach reporting, and require subcontractors to follow similar protections.
Why Therapists Need BAAs
Therapy practices often rely on cloud-based tools for everyday operations:
- EHR and practice management software
- Telehealth platforms
- Email and workspace tools
- Online forms and document storage
- Billing and claims tools
- Payment workflows
- Appointment reminders
- Client messaging
Some of these tools may handle PHI directly. Others may only handle limited administrative information. The important question is not "is this software healthcare-specific?" The question is:
Could this vendor create, receive, maintain, or transmit PHI for your practice?
If yes, a BAA likely belongs in the conversation.
Common BAAs a Therapy Practice May Sign
A therapy practice may sign several different BAAs, depending on its setup.
1. EHR or Practice Management BAA
Your EHR is usually one of your most important business associates. It may store or process client demographics, appointments, clinical documentation, billing records, treatment plans, uploaded documents, portal messages, payment-related workflows, reminders, and more.
If your EHR handles PHI, your practice should have a BAA with that vendor.
Pebble is designed to bring many of these workflows into one system: scheduling, documentation, client records, portal communication, billing workflows, reminders, telehealth-related workflows, and practice operations. That means your Pebble BAA is intended to cover Pebble's role as your business associate across the PHI-handling workflows Pebble provides, instead of requiring you to manage separate BAAs for each internal Pebble feature. If you are comparing systems for your practice, sign up for Pebble to learn how those workflows fit together.
2. Telehealth BAA
If you use a video platform for therapy sessions, make sure the platform supports HIPAA-appropriate use and offers a BAA.
Not every video conferencing plan is designed for healthcare. A consumer or standard business plan may not be enough.
If telehealth is provided through or integrated into your EHR, review whether that workflow is covered by your EHR vendor's BAA and whether any third-party video provider is also involved.
3. Email and Workspace BAA
If your practice uses email, cloud documents, shared drives, or calendar tools in connection with client information, you may need a BAA with that workspace provider.
Even with a BAA, you still need to configure the account properly: access controls, sharing restrictions, MFA, audit logs, retention settings, and policies around what staff may send or store.
A BAA Is Not a Magic Shield
A signed BAA does not automatically make a vendor safe or make your practice HIPAA-compliant.
A BAA is a required contract, but you still need to ask practical questions:
- What PHI will this vendor receive?
- Does the vendor actually support HIPAA-appropriate use?
- Which product tier is covered?
- Are all features covered, or only certain services?
- Does the vendor use subcontractors?
- What happens if there is a breach?
- How can data be returned or deleted if the relationship ends?
- Who at your practice has access?
Compliance is not just signing paperwork. It is choosing the right tools, configuring them correctly, training your team, and reviewing access over time.
When You May Not Need a BAA
Not every vendor needs a BAA.
For example, you may not need one if the vendor never handles PHI. A website analytics tool used only on your public marketing site may not need a BAA if no client-identifying health information is collected.
But be careful. The moment a tool starts collecting intake information, appointment requests, client messages, uploaded documents, or billing details, the analysis changes.
How Pebble Thinks About BAAs
At Pebble, we treat BAAs as part of the foundation of responsible therapy software.
That means:
- We identify vendors that may handle PHI.
- We sign BAAs with covered infrastructure and service providers where required.
- We limit PHI exposure to vendors that are appropriate for healthcare workflows.
- We document vendor decisions, including "no PHI allowed" tools.
- We design our systems so audit logging, access control, encryption, and operational safeguards are part of the product, not afterthoughts.
For therapy practices, the goal is not to become a legal expert. The goal is to know where client information goes, make sure the right agreements are in place, and use systems built for the responsibilities that come with healthcare data.
A Simple Practice Checklist
Before using a new vendor, ask:
- Will this vendor handle PHI?
- Does the vendor offer a BAA?
- Is my specific product plan covered?
- Have I stored the signed BAA somewhere accessible?
- Have I configured access, sharing, and security settings?
- Have I documented whether PHI is allowed in this tool?
- Do staff know how the tool may and may not be used?
If the answer is unclear, pause before putting client information into the system.
Final Thought
A BAA is not just paperwork. It is a signal that a vendor understands its role in protecting client health information.
For therapy practices, BAAs help clarify responsibility: your practice protects client information, your software vendors agree to protect the information they handle for you, and every tool in your workflow has a defined role.
That clarity matters. It protects your clients, your practice, and the trust that therapy depends on.
Pebble is built for HIPAA-aware therapy practice workflows. Sign up for Pebble to get product updates, access details, and a simpler way to run your practice.